<html>
<head><meta charset="utf-8"><title>deps.rs and the RustSec DB · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/deps.2Ers.20and.20the.20RustSec.20DB.html">deps.rs and the RustSec DB</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="224780136"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/deps.rs%20and%20the%20RustSec%20DB/near/224780136" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/deps.2Ers.20and.20the.20RustSec.20DB.html#224780136">(Feb 01 2021 at 19:40)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> you think we're implicated in this somehow? <a href="https://github.com/deps-rs/deps.rs/issues/97">https://github.com/deps-rs/deps.rs/issues/97</a></p>



<a name="224780210"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/deps.rs%20and%20the%20RustSec%20DB/near/224780210" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/deps.2Ers.20and.20the.20RustSec.20DB.html#224780210">(Feb 01 2021 at 19:41)</a>:</h4>
<p>Yes. I believe the advisory we're carrying for Cargo specifies versions in Rust version terms such as 1.27.1, and not Cargo crate version terms such as 0.50.0, and that's what's causing the issue.</p>



<a name="224780419"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/deps.rs%20and%20the%20RustSec%20DB/near/224780419" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/deps.2Ers.20and.20the.20RustSec.20DB.html#224780419">(Feb 01 2021 at 19:43)</a>:</h4>
<p>I think two issues are at play here:</p>
<ol>
<li><a href="http://libs.rs">libs.rs</a> is erroneously applying advisory under rust/ directory versioned in Rust release terms to cargo-the-crate</li>
<li>we're not actually carrying an advisory for cargo-the-crate under crates/ directory</li>
</ol>



<a name="224780449"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/deps.rs%20and%20the%20RustSec%20DB/near/224780449" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/deps.2Ers.20and.20the.20RustSec.20DB.html#224780449">(Feb 01 2021 at 19:43)</a>:</h4>
<p>There are crates out there depending on cargo, e.g. our very own cargo-geiger</p>



<a name="224780871"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/deps.rs%20and%20the%20RustSec%20DB/near/224780871" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/deps.2Ers.20and.20the.20RustSec.20DB.html#224780871">(Feb 01 2021 at 19:47)</a>:</h4>
<p>I guess we can duplicate the advisory into <code>crates/</code> and update it appropriately and use <a href="http://crates.io">crates.io</a> versions</p>



<a name="224780891"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/deps.rs%20and%20the%20RustSec%20DB/near/224780891" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/deps.2Ers.20and.20the.20RustSec.20DB.html#224780891">(Feb 01 2021 at 19:47)</a>:</h4>
<p>I think this is an issue in <a href="http://libs.rs">libs.rs</a> and not <code>rustsec</code> crate, because running <code>cargo audit</code> on cargo-geiger repo does not surface any warnings about <code>cargo</code> crate.</p>



<a name="224780912"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/deps.rs%20and%20the%20RustSec%20DB/near/224780912" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/deps.2Ers.20and.20the.20RustSec.20DB.html#224780912">(Feb 01 2021 at 19:47)</a>:</h4>
<p>Duplicating the advisory sounds like a good idea</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>